What does an SBC do?

Carrier SBCs
SP Network

Enterprise Network
IP PBX

FW

Intranet

Carrier SBC

Carrier SBC

Historically designed to sit at the SPs edge to protect the carrier.

Complex to use command-line devices
Provides a distinct separation between networks while providing a means of
transporting signaling and media
Perform topology hiding for the SP
Tracking calls (CDR) for billing
Act as a Network Address Translator (NAT) for the SP
Provides admission control to limit calls from customer (and insure SLA)
Protocol Internetworking for H.323 and SIP

2012 Avaya Inc. All rights reserved.

11/26/2012

Enterprise SBC
Mobile Users,
Telecommuters

Enterprise Network
IP PBX

DMZ
Internal
FW

Avaya External
SBCE FW/NAT

Intranet

Avaya SBCE
Encryption
TLS proxy
SRTP proxy
Enablement
FW / NAT traversal
Call admission control
Signaling and media firewall

2012
2012 Avaya,
Avaya Inc.

Inc. All
All rights
Rightsreserved.
Reserved.

SRTP/
RTP
Remote Worker

Internet

SIP Trunking

Security
Floods and fuzzing prevention
Spoofing prevention (fingerprint verification)
Media anomaly prevention
Stealth attack prevention
Tollfraud Prevention
Anti-spam
Whitelist/Blacklist
Behavior learning

06/01/2012

Avaya SBCE: SIP Trunking Architecture

Use Case: SIP Trunking to Carrier

Carrier offering SIP trunks as lower-cost alternative to TDM
Heavy driver for Enterprise adoption of SBC
Support Aura, IPO and CS1K
From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ
CS1000

Enterprise

Internet

DMZ

Firewall

Firewall

Avaya
SBCE

SIP Trunks
Carrier

Carrier SIP trunks to the Avaya Session Border Controller for Enterprise
Avaya SBCE is located in a DMZ behind the Enterprise firewall
Services: security and demarcation device between the IP-PBX and the Carrier
NAT traversal,
Securely anchors signaling and media, and can
Normalize SIP protocol
2012 Avaya Inc. All rights reserved.

NAT Traversal
SBC External IP
Address
192.168.45.4

IP PBX

Enterprise

FW IP Address
96.54.23.10

Internet or Provider
Network

At a basic level think of it this way: If the SBC sends an INVITE

message to the carrier, can the carrier reply and reach IP address
192.168.45.4? No.
The SBC facilitates NAT Traversal by making sure all signaling
messages have a REACHABLE return address. In this example, the
INVITE would have a source address of 96.54.23.10.
When a reply is sent it reaches the firewall which forwards to external
IP Address.
2012 Avaya Inc. All rights reserved.

Understanding Toll Fraud

Toll fraud can only be prevented by a holistic approach
involving best practice configuration of many elements in
a UC environment.
Examples include:
Customized tuning of SBC to set intelligent call thresholds
for outbound and inbound traffic (based on time of day for
optimal fine-tuning)
Enable short-call toll fraud duration
Limit international calls to only valid destinations for
needed countries

2012 Avaya Inc. All rights reserved.

DoS and Toll Fraud Protection

Single Source DoS

Any type of DoS attack that is

directed against one or more
enterprise endpoints that originate
from a single source (normally
spoofed).

Stealth DoS/DDoS

A type of lowvolume DoS attack

that is directed against an endpoint
where the source of the call is
constantly changed.

Call Walking

A type of DoS attack whereby serial

calls originating from a single
source (normally spoofed) are
directed against a sequential group
of endpoints.

Toll Fraud

Refers to internal or external users

using the corporate phone system
to place unauthorized toll calls.

Phone DoS/DDoS

A type of DoS attack that is directed

against a single enterprise end
point.

2012 Avaya Inc. All rights reserved.

DoS and Toll Fraud Protection

DoS settings can be customized
Time-of-Day can be used to refine DoS settings
Specific protection exist for Short Duration Toll Fraud as
well:
Short call duration toll fraud is where a large number of
short calls (less than 1-2 seconds) are made to make
money on the connect fees.

2012 Avaya Inc. All rights reserved.

 2012 Avaya Inc. All rights reserved.

 2012 Avaya Inc. All rights reserved.

10

Avaya SBCE: Remote Worker Architecture

Use Case: Remote Worker

Extend UC to SIP users remote to the Enterprise
Solution not requiring VPN for UC/CC SIP endpoints
From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ
Enterprise

Internet

DMZ

Firewall

Firewall

Avaya
SBCE

Remote Workers

Remote Worker are external to the Enterprise firewall

Avaya Session Border Controller for Enterprise
Authenticate SIP-based users/clients to the enterprise
Securely proxy registrations and client device provisioning
Securely manage communications without requiring a VPN
2012 Avaya Inc. All rights reserved.

11

Remote Worker: VPN vs VPNless Endpoints

VPN Endpoint

VPNless Endpoint

VPN Headers add additional size

to traffic. In aggregate reduces
bandwidth.

TLS/SRTP encrypts the traffic

with a smaller bandwidth
footprint than VPN

Encrypts traffic, yet does not

validate it. (Encrypting and
distributing a virus isnt helpful)

Signaling and media are

unencrypted at the SBC and
inspected at Layer 7 to validate
the traffic before it is allowed
through

No ability at VPN head-end to

distinguish between voice and
data traffic. Ultimately voice
quality suffers.
Cumbersome user experience for
real-time communication
application
2012 Avaya Inc. All rights reserved.

Numerous policies allow

Enterprise control of endpoints.
Consistent user experience for
applications
12

Call Servers
For SIP Trunking, an accepted architecture is:
Call Server + SBC
Call Server + SM + SBC

A valid call server is

CS1k 7.5

Session Manager is NOT required

for SIP Trunking

CM 5.2.1
IPO 8.x

SM must be 6.x
For SIP Trunking if these basic requirements are not met there is no opportunity
with this customer UNTIL these elements are there.

2012 Avaya Inc. All rights reserved.

13

Avaya SBCE 4.0.5 and 6.2 Interoperability Matrix

Platform

All Tests performed in the SIL Labs

No SM
SM 6.1

CS1K R7.5

R4.0.5/R6.2

R4.0.5/R6.2

R4.0.5/R6.2

IPO R8.0

R4.0.5/R6.2

NA

NA

CM R5.2.1

R4.0.5/R6.2

R4.0.5/R6.2

R4.0.5/R6.2

R4.0.5/R6.2

R4.0.5/R6.2

NA

CM R6.2

R4.0.5/R6.2

R4.0.5/R6.2

R4.0.5/R6.2

CM 6.0.1

SM 6.2

Supported - Tested
NA Not Supproted or Tested.
2012 Avaya Inc. All rights reserved.

14

IPO 8.x
ONLY supports SIP Trunking
ONLY certified with AT&T at the moment
A generic app note is in the works to accommodate
additional carriers

2012 Avaya Inc. All rights reserved.

15

Carriers Tested as of November 10th, 2013.

Alestra
AT&T
AT&T Puerto Rico
Belgacom
Bell Canada
Broad-Connect
Broadview
BT Global Services
BT HIPCOM
BT Italia
BT Wholesale
Cable & Wireless
CenturyLink
2012 Avaya Inc. All rights reserved.

Colt
Etisalat
Fastweb SPA
Frontier
Gamma
IntelePeer
KPN
Level 3
MTSAllStream
PAETEC
Phonect
QSC
Sprint
Swisscom
Tele2
Telefonica del Peru
Telenor

Teliasonera
TELUS
T-Mobile NL
UPC
Vamoin1/KPN
Verizon Business
Virgin Media
Vodafone DE
Vodafone NL
VoicePulse
Windstream
Worldnet P. Rico
XO

Find App Notes Here:

https://devconnect.avaya.com/public/dyn/d_dyn.jsp?fn=103
16

SIP Trunking Qualification

Must include supported call servers (CS1, CM, SM, IPO)
Must be explicitly tested with that given configuration
with the carrier.
Example: If CMSBC->Service Provider A is tested, that
does NOT mean CMSM->Service Provider A is tested.
Make sure the specific configuration is documented with an
App Note.
If the architecture is valid, but it is not tested, then escalate
through Jack Rynes

2012 Avaya Inc. All rights reserved.

17

SIP Trunking with AACC

AACC If this is a basic SIP Trunking deployment
involving:
Service Provider - SBC SMCM
There may be a valid solution for the SBC but all call flows
should be vetted with the CSEs.

2012 Avaya Inc. All rights reserved.

18

SIP Trunking with Call Center Elite

CC Elite If this is a basic SIP Trunking deployment
involving:
Service Provider - SBC SMCM
-andAvaya Experience Portal is NOT part of the call flow
There may be a valid solution for the SBC but all call flows
should be vetted with the CSEs.

2012 Avaya Inc. All rights reserved.

19

Avaya SBCE Key Features

The Unique Avaya Solution for

UC Application Security

Authenticated
Endpoints

Allow supporting protocols

with full NAT

Enterprise

Remote

Giving you

Full Features

Avaya Session Manager (SIP)

Enterprise DMZ
Firewalls

Internal Phone (RTP)

Intranet

Encrypted
Sessions

Remote NAT &

Firewall

Internet
Avaya SBCAE

Remote Phone Configuration (HTTPS)

Certificate Authority (SCEP)

Security
UC Policy, Access control, & Authentication
Privacy (encryption) with TLS, SRTP
UC Threat protection

Personal Profile Manager (SOAP)

Directory Server (LDAP)

Comprehensive Services
Directory, Web applications, Login profiles

Web Server (HTTP)

Presence and IM (XMPP)
Hi

2012 Avaya Inc. All rights reserved.

Remote Management
Configuration management,
Certificate, PKI management
21

ASBCE 6.2 System Capacity

Session Border Controller
capacities are rated in
Simultaneous Sessions

Capacity in Simultaneous Sessions

Max Capacity
W/out Encrypt

Max Capacity
With Encrypt

HA

2000

1000

SA

2000

1000

SA

500

250

Portwell CAD-0208

Rules of Thumb
SIP trunking usually 5 users per SS
Must account for higher ratio in small
Remote Worker must consider both
On-net and off-net requirements
Remember, in Dell configs, Encryption
Services impact capacity
2012 Avaya Inc. All rights reserved.

A simultaneous session = a
communication session
between 2 SIP endpoints
Can think of it as analogous
to a DSO in the old world
Key for engineering is to
understand the numbers of
sessions required in the
solution

For Secure SIP trunking,

look at the number of TDM
DSOs required
For Remote Worker,
calculate required call
volumes
22

22